A view from DC: Play time is over, risk assessments are here

This week, the California Privacy Protection Agency announced a USD1.1 million settlement with PlayOn Sports, the operator of a digital ticketing platform called GoFan. Measured by fine amount, this marks the agency's second-largest enforcement action to date. Beyond the fine headline, buried in the settlement terms of the order is one that should make any privacy officer's ears perk up: an explicit requirement for the company's future privacy risk assessments to be reviewed by its Board of Directors. 

But first, some quick background on this case. 

PlayOn's primary business model is to partner with high schools to provide ticketing services for sporting events. The settlement addresses allegations that the company violated California's privacy law by requiring students and parents to accept tracking technologies as a condition for accessing digital tickets without providing proper options not to sell or share their personal data. In its press release, the agency focuses on the fact that student information was involved in the case, perhaps signaling why the company's practices were closely scrutinized.

According to CalPrivacy, the company failed to fully modernize its opt-out and notice compliance during the first two years of the updated rules under the California Privacy Rights Act — 2023 and 2024. 

A very expensive ad campaign

The factual allegations in the stipulated order describe the fact that PlayOn ran only a single ad campaign during the time period in question. "Nevertheless," it continues, "PlayOn's use of certain Tracking Technologies on its Digital Properties constituted the Sale and Sharing of Personal Information under the CCPA."

The company's alleged failure to refine its opt-out mechanisms in a timely manner once the CCPA's sharing and selling preference obligations came into effect led to more than a few of the charges in the complaint.

Thus, as it turns out, that single ad campaign arguably ended up costing the company USD1.1 million in fines through this CalPrivacy enforcement action. 

How is that for cost per click?

Keeping up with the risk assessment Joneses

Timeliness is everything when it comes to privacy compliance. The PlayOn settlement underscores this point in another way besides the allegations of a two-year delay in getting up to speed on general updates in California's law. 

The order also goes out of its way to remind privacy pros about the importance of complying with California's new risk assessment requirements, which went into effect 1 Jan. Although, of course, these were not required during the time under investigation, as part of the terms of the settlement, the company has agreed to abide by this new compliance requirement moving forward, and then some.

California uniquely requires companies to submit an annual summary of their risk assessments to CalPrivacy. Although the first submission deadline is not until 1 April 2028, the agency is expecting to receive assessments documenting compliance with 2026 and 2027 at that time. Moving forward, just like tax season, these summaries will be due every April. This differs from Colorado, for example, where assessments must simply be available for production if requested by the attorney general.

A quick review of the requirements: formal assessments are required whenever there is a "significant risk" to consumer privacy, including when a company sells or shares personal information, processes sensitive data, uses automated decision-making technologies for significant decisions, or deploys biometrics or facial recognition. Risk assessments require documentation of the specific purposes of data processing and the minimum necessary data to achieve the purpose. And they should include a formalized weighing of the documented risks against any benefits to the business, consumers or the public.

Colorado's risk assessment regulations were previously the most prescriptive and helpful in explaining the enforcer's expectations. But California's are now far more detailed. Another example: while Colorado mentions regularly updating risk assessments as data processing changes, California has a strict update requirement. They must be conducted annually or, in the event of a material change in the risk profile, within 45 days of that change.

California even provides guidance on what counts as a material change to processing activity, including anything that creates "negative impacts or increases the magnitude or likelihood of previously identified negative impacts" or "diminishes the effectiveness of the safeguards" identified in prior risk assessments.

Notably, as another injunctive term of the settlement, PlayOn must update risk assessments before a material change, rather than within a 45-day grace period.

Ready for Board of Directors review?

Under California's risk assessment regulations, a company's risk assessment documentation must identify the individuals who conducted the assessment. Though this implies a sign-off from a chief privacy officer or legal lead, there is no explicit requirement for higher-level review. 

Instead, the PlayOn order forces a board of directors review, likely as an injunctive term to guarantee that the company's alleged privacy missteps don't happen again. Moving forward, the board must sign off, and the assessment must document the names of the individuals on the board who reviewed it.

Depending on the structure of your company, it might not be a bad idea to incorporate board approval of privacy risk assessments into the standard process, or at least include senior executive sign off.

Nevertheless, if you would rather avoid this step, CalPrivacy makes clear through this enforcement action that swift and thorough compliance is essential.

Please send feedback, updates and memories of Friday night lights to cobun@iapp.org.